About the Institute

The Hybrid Vigor Institute is dedicated to rigorous critical thinking and the establishment of better methods for understanding and solving society’s most difficult problems. Our particular emphasis is on cross-sector and collaborative approaches; we seek out experts and stakeholders from a range of fields for their perspectives or to work together toward common goals.
Principals | Advisors | What We Offer



hybridvigor.net houses the work of critical thinkers, researchers and practitioners who conduct cross-sector and cross-disciplinary explorations and collaborations.
Blog | Contributors | Topics

  Subscribe to Hybrid Vigor’s RSS Feed



Privacy | Funding


Contact Us



Intervention by Denise Caruso Read Intervention by Denise Caruso, Executive Director of the Hybrid Vigor Silver Award Winner, 2007 Independent Publisher Book Awards; Best Business Books 2007, Strategy+Business Magazine


by ~ March 29, 2010.
Permalink | Filed under: Hybrid Vigor, Social Trust Online.

The word “trust” appears 32 times in the press release announcing the official launch of the Open Identity Exchange (OIX). Normally, I’d be enthusiastic about such dense coverage of a critical topic, but in this case I question the group’s understanding of the term.

A Governance Template, Not a Trust Framework

OIX is a kind of standards body where techies from various industries come together to prescribe satisfactory methods for identification, so that these IDs can be used across websites. From the OIX site, the process is as follows:

… policymakers representing a trust community (e.g., government, industry association, professional society) start by developing a trust framework specification. This document defines the identity proofing, security, and privacy policies that must be followed by identity service providers to reach a specified level of assurance (LOA). In some cases it will also specify the data protection policies that must be followed by both identity service providers and relying parties to reach a specified level of protection (LOP).

Lastly, the trust framework defines the qualifications necessary to be an assessor for the trust framework—a person or a company who has the professional experience necessary to assess whether an identity service provider or relying party is in compliance with the policies specified for a certain LOA or LOP.

Next the policymakers contract with a trust framework provider (TFP) to operate a certification program for the trust framework. A TFP who operates by the OITF model performs the following functions:

  1. Publishes the trust framework so it is publicly accessible.
  2. Accepts listings from assessors who meet the qualifications specified in the trust framework.
  3. Accept listings from identity service providers (and in some cases relying parties) who are successfully certified by a qualified assessor.
  4. Publish updates to the trust framework as it is revised, and periodically renew certifications of participants as required by the trust framework.

Lastly, the OITF model includes roles for auditors and dispute resolution service providers to assist in ongoing assessment of trust framework participants and resolution of any disputes that may arise.

(Side Note OIX: also don’t abuse the word “lastly.”)

Apparently OIX just hosts the party and provides the napkins (for sketching), but little else. Defining the standards is up to the policy makers and certifying compliance is up to a Trust Framework Provider (TFP)—whatever that is.

Identification isn’t Trust

I suppose that, if successful, OIX will improve the way digital IDs are used. That’s not altogether a bad thing, but it’s also not trust.

By analogy, imagine that, in order to improve the effectiveness of TSA screeners, the government sets a policy requiring travelers to present both a driver license and passport at the airport. Does it follow that everyone inside the secure area of the airport will trust each other? If the TSA screener clears someone, does that mean the screener trusts the traveler? Or that the screener trusts the ID? Do the IDs foster any kind of trust at all?

If there’s one thing I’d like to get through to techies who work these protocols, it’s this: identification isn’t trust. Please find another word to describe what you’re doing.


  1. Mark Lizar

    Hi Mike,

    Like your post. Glad I found your blog, reading your post was inspiring and timely as I just finished writing a response to NSTIC for possible Kantara submission.

    In fact, I quoted this blog post in my submission. I was looking for your email address in the off change that you would be able to see and comment before I have to send it in tomorrow. Commenting on your blog was the next best thing. Looking forward to future posts.

Leave a Reply

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image